Skillv1.0.0

ClawScan security

BookMorph Magic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 11:13 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an internal orchestration template that bundles locally produced media into episode directories; its requirements and actions match its description and it does not request extra credentials, install remote code, or reach out to external endpoints.
Guidance: This package is a local orchestration template: it expects you to wire your own adapters that produce media files, then call the included Python script to bundle them. Before installing or using it, check any adapters you wire in (or other skills you connect) for network access or credential usage, and avoid passing sensitive system paths to the bundle commands — the script will copy any absolute paths you supply into the episode directory. If you plan to run adapters from third parties, vet them separately because this template will happily package outputs they produce.

Purpose & Capability: okThe name/description promise (book→video/audio/cover bundle and manifest) matches the included instructions and script: parsing episode identifiers, preparing output directories, copying supplied media, and writing a manifest. Nothing requested (no env vars, no binaries) is unrelated to that purpose.
Instruction Scope: okSKILL.md confines runtime behavior to: parse episode text, invoke a local Python helper, run three adapter steps (book selector, longform generator, cover generator) supplied by the integrator, and bundle/copy local files into an output directory. The instructions do not direct reading of unrelated system files, environment variables, or sending data to external endpoints. The adapters themselves are external and must be provided by the user.
Install Mechanism: okNo install spec or remote downloads; this is instruction-only with one included Python script. Nothing is fetched from arbitrary URLs or installed into system locations.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The script operates on absolute file paths supplied at runtime — this is appropriate for a bundling/template utility.
Persistence & Privilege: okThe skill is not always-enabled, is user-invocable, does not change other skills' configuration, and does not request persistent agent-level privileges.